From dcd0abd7d31ca158a191faea58bfbd080f1e2d6a Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 2 Jul 2025 12:02:52 +0100 Subject: [PATCH 1/3] Add secret store choice input --- .github/workflows/stackhpc-multinode.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/stackhpc-multinode.yml b/.github/workflows/stackhpc-multinode.yml index c9e8193da..5b4bb314b 100644 --- a/.github/workflows/stackhpc-multinode.yml +++ b/.github/workflows/stackhpc-multinode.yml @@ -25,6 +25,13 @@ name: Multinode options: - ovn - ovs + secret_store: + description: Secret store to use as Certificate Authority + type: choice + default: openbao + options: + - openbao + - vault upgrade: description: Whether to perform an upgrade default: none @@ -63,6 +70,7 @@ jobs: os_release: ${{ inputs.os_distribution == 'rocky' && '9' || 'noble' }} ssh_username: ${{ inputs.os_distribution == 'rocky' && 'cloud-user' || 'ubuntu' }} neutron_plugin: ${{ inputs.neutron_plugin }} + secret_store: ${{ inputs.secret_store }} upgrade: ${{ inputs.upgrade }} break_on: ${{ inputs.break_on }} # Workaround loss of number type using fromJSON: https://github.com/orgs/community/discussions/67182 From dd5feef68ee83e5050ba857c40b1050719dcea83 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Wed, 2 Jul 2025 12:12:03 +0100 Subject: [PATCH 2/3] Add bool variable to choose CA secret store --- .../environments/ci-multinode/stackhpc-monitoring.yml | 2 +- etc/kayobe/environments/ci-multinode/tempest.yml | 2 +- etc/kayobe/stackhpc.yml | 7 +++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml index 1d9514553..9e6248a38 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-monitoring.yml @@ -1,3 +1,3 @@ --- # Path to a CA certificate file to trust in the OpenStack Capacity exporter. -stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" +stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/{{ openbao.crt if stackhpc_enable_openbao else vault.crt }}" diff --git a/etc/kayobe/environments/ci-multinode/tempest.yml b/etc/kayobe/environments/ci-multinode/tempest.yml index ae2d8f132..b996d9662 100644 --- a/etc/kayobe/environments/ci-multinode/tempest.yml +++ b/etc/kayobe/environments/ci-multinode/tempest.yml @@ -3,4 +3,4 @@ rally_no_sensitive_log: false # Add the Vault CA certificate to the rally container when running tempest. -tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt" +tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/{{ openbao.crt if stackhpc_enable_openbao else vault.crt }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index 10b422d4d..53c335793 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -179,3 +179,10 @@ download_amphora_from_ark: true # Octavia Amphora image version stackhpc_amphora_image_version: "2025.1-20250619T113933" + +################################################################################ +# Certificate Authority + +# Whether or not OpenBao is used as Certificate Authority. Default is true. +# If set to false, Hashicorp Vault is used instead. +stackhpc_enable_openbao: true From ca400f1c6870a57fa304c666dec06f98d024b87b Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 3 Jul 2025 09:14:31 +0100 Subject: [PATCH 3/3] Temp: Use dev branch of multinode workflow --- .github/workflows/stackhpc-multinode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-multinode.yml b/.github/workflows/stackhpc-multinode.yml index 5b4bb314b..cbc32e061 100644 --- a/.github/workflows/stackhpc-multinode.yml +++ b/.github/workflows/stackhpc-multinode.yml @@ -63,7 +63,7 @@ name: Multinode jobs: multinode: name: Multinode - uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.4.0 + uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@ca-choice with: multinode_name: ${{ inputs.multinode_name }} os_distribution: ${{ inputs.os_distribution }}